Policies

Privacy, security, data processing, and accessibility for Trellis LLC.

Data Processing Agreement

This Data Processing Agreement ("Agreement") is entered into as of [EFFECTIVE_DATE] between Trellis LLC ("Provider") and [LEA_NAME] ("LEA"), collectively the "Parties". This Agreement follows the structure and substantive protections of the California Student Data Privacy Agreement (CSDPA/NDPA style) and applies to Provider's educator observation and evaluation platform.

1. Definitions

  • Student Data: information relating to a K–12 student that is provided by LEA users or collected on behalf of LEA.
  • Covered Information: information subject to SOPIPA and applicable student privacy laws.
  • Services: Provider's web-based platform used by LEA staff for observations, evaluations, and related workflows.

2. Roles and Scope

  • LEA acts as controller/owner of Student Data; Provider acts as service provider/operator processing on behalf of LEA.
  • Provider shall process Student Data solely to provide the Services and as instructed by LEA.
  • Provider does not sell Student Data and does not engage in targeted advertising.

3. Data Ownership and Access

  • LEA retains all ownership rights in Student Data.
  • LEA may access, export, correct, and delete Student Data during the term.
  • Upon request or termination, Provider will delete or return Student Data, subject to legal holds and backups.

4. Data Categories and Sources

The Services primarily store staff-entered content and metadata in Postgres (via Prisma), authenticated via Supabase:

  • User account data: staff email, name, role, and school affiliations.
  • Observation/Evaluation content: free-text notes, summaries, recommendations, and rubric-aligned data.
  • RAG and chat content: staff-entered messages; embeddings derived via OpenAI Embeddings.

Note: The Services do not intentionally collect Student Data; however, staff free-text may incidentally reference students.

5. Subprocessors

Provider uses subprocessors necessary to deliver the Services. Provider shall impose written obligations providing at least the same level of protection.

  • Supabase: authentication and managed Postgres database.
  • Anthropic (Claude): AI text generation (primary).
  • OpenAI: AI text generation (fallback) and embeddings for RAG.
  • Groq: OpenAI-compatible API for certain generation paths.

Provider will maintain an up-to-date list of subprocessors and notify LEA of material changes where required.

6. Security

  • Encryption in transit via TLS; at-rest encryption via managed Postgres.
  • Role-based access control; session security via httpOnly cookies managed with Supabase SSR.
  • Secret management via environment variables; least-privilege operational access.
  • Content Security Policy limiting external connections; clickjacking and referrer protections.
  • Vulnerability management, incident response procedures, and logging appropriate to the Services.

7. Confidentiality

Provider shall ensure personnel and subprocessors are bound by confidentiality obligations with respect to Student Data.

8. Prohibited Uses

  • No sale or disclosure of Student Data except to provide the Services or as required by law.
  • No targeted advertising or profiling beyond service provision.
  • No use of Student Data to create student profiles unrelated to LEA purposes.

9. Breach Notification

Provider will notify LEA without undue delay after confirming a breach of security leading to unauthorized access to Student Data, and will cooperate in required notifications.

10. Audits and Assessments

Upon reasonable written request, Provider will make available information necessary to demonstrate compliance and allow LEA or its designee to conduct assessments, subject to confidentiality and security constraints.

11. Data Subject Requests

Provider will assist LEA in responding to verified requests to access, correct, or delete Student Data, to the extent applicable.

12. Data Deletion and Return

At termination or upon LEA instruction, Provider will delete or return Student Data within a commercially reasonable timeframe, subject to legal holds and provider backups.

13. Term; Termination

This Agreement remains in effect for the term of the Service agreement. Either party may terminate as provided in the Master Agreement.

14. Insurance; Indemnification

As set forth in the Master Agreement or applicable order form between the Parties.

15. Governing Law

State of California, without regard to conflict of laws principles, unless otherwise agreed by the Parties.

Exhibits

  • Exhibit A – Security Measures (see Security Measures page)
  • Exhibit B – Data Elements and Purposes
  • Exhibit C – Subprocessor List

Signatures

Trellis LLC, by: ________________________________ Name/Title: __________________ Date: ____________

[LEA_NAME], by: _________________________________ Name/Title: __________________ Date: ____________

Notices: [CONTACT_EMAIL], [CONTACT_ADDRESS]; For LEA: [DISTRICT_ADDRESS]